Notes for Week 4

The system log file is /var/log/sys.log, and security logging is done to /var/log/auth.log.
Recent entries can be examined using

tail -n100 /var/log/sys.log

grep can be used to search the log file for recurring events of
interest, such as reboots:

grep /var/log/sys.log -ie 'syslogd.*restart'

users logging in as root, or su-ing to become root:

grep /var/log/auth.log -ie 'root'

or hardware errors:

grep /var/log/sys.log -ie 'device-file-name'

where "(device file name)" is, for example, sr0.

The Xorg log file is /var/log/Xorg.(display-number).log.

Windows log files can be examined using the "Event Viewer" (under "Administrative Tools" in the Control Panel). The
files themselves are C:\Windows\*.log.

The kernel is essentially a large C program. The main program begins by interrogating the CPU, RAM, the
I/O devices, the PCI bus, the Plug and Play BIOS, etc. The root partition is then mounted read-only (so
that it can be checked without corrupting it) and the init program is started. init stays
running as long as the system is up, and is the ultimate "ancestor" (parent, grandparent, etc.), of every
process that runs.

The numbers in parentheses are pids (process identifiers); every process that is running has a unique pid
whose maximum value is a function of RAM size
(after the pids increment to the maximum, they start over again at the lowest unused number).

Some of the processes started by init are daemons: programs that provide services to the operating system,
it's users, or network clients. Their names typically end with a "d" (although not always), and are
pronounced, for instance, "k"-"log"-"d".

udevd handles dynamic creation and destruction of device files as hardware is attached and detached from the system;

syslogd and klogd handle system and kernel logging (of error and status messages);

cupsd is the print spooler daemon;

ntpd is the network time protocol daemon, which keeps the system clock synchronized to
standard clocks on the Internet;

dbus-daemon is the message bus daemon (used for inter-process communication);

gpm is the general purpose mouse handler (does the auto-copy and scroll-wheel pasting we discussed the first week).

The monitor and keyboard directly attached to the PC which runs Linux is the console. By entering Alt-F1
through Alt-F6, the console "operator" (as distinguished from any user which might telnet to Linux to use
the system remotely) can switch between the virtual consoles. The agetty processes listed above issue
a login prompt to each of the virtual consoles; when a user enters a login name, the agetty program exits and
passes that name to the login program, which asks for and validates the password, and then starts a shell
(in this case bash), which supplies the command prompt. When the user executes the logout command, the login
process exits and init starts another agetty.

The startx command is really a script which in turn runs the xinit program,
which in turn runs X.
X is the display "server", or driver, which switches the console to graphical
mode and controls the display until X-Windows is exited. While X is running, the consoles are unavailable
through the Alt-F# keys. X
starts the window manager (in this case, wmaker, or WindowMaker), which controls drawing on the graphical
display (windows, title bars, buttons, scroll bars, icons, etc.). There are a number of
window managers available. Client programs running under
the window manager include xosview, xclock and xterm (which requires an associated luit
process for Unicode support).
And of course, xterm emulates a terminal (telnet) session, and
so starts a bash shell under which the pstree command whose output we have been analyzing was run.

R = runnable (on the run queue)
S = sleeping
T = traced or stopped (for instance, by Crtl-Z, which you should never use!)
W = paging
Z = a zombie process, which has terminated but its parent has not cleaned it up properly; init will
do this when the parent process exits

START = clock time when process started

TIME = CPU time used to date

COMMAND = process command line

Some of the process names are self-explanatory, while others are not so. For example,

The daemons listed in brackets are actually not separate programs, but are part of the kernel itself. Those ending
with "/0" or "/1" denote processes attached to specific CPUs.

Note that there is no agetty for tty1; this is the virtual console in which all of the processes in the
current interactive login session are running. Also note that X runs as root, although it
was started by ken; X must run as root in order to control the display.

In Windows you can invoke the task manager using the keys Ctrl-Alt-Delete, but it does not show kernel processes,
amd provides precious little information.

Information about processes running on the system is kept in the /proc directory. It and /sys are really
pseudo-filesystems: they only exist in memory, providing a filesystem interface to kernel data. Each
process has its own directory whose name is /proc/pid (ie., the wmaker process in the example above would be
located in the directory /proc/3407). In that directory is (among other things):

The stroke ("|") indicates a pipe: the output (stdout) of one command becomes the input (stdin) of the next.
We will go into pipes in more detail in week 8.

The tr command is used here to translate NUL characters to newline characters
(strings are terminated by NULs in C; newline is the end of line character in UNIX; Windows uses "\r\n", or
"carriage return/line feed" for its newline sequence).

the program which is running (ls -l /proc/pid/exe);

the files which the process currently has open (ls -l /proc/pid/fd);

("fd" is short for "file descriptor".)
Note that all processes have the following three files open:

0 - stdin: the default source of input (the keyboard, when running interactively from the command line);

1 - stdout: the default destination of output (the display, when running interactively from the command line); and

2 - stderr: the default destination for error messages (the display, when running interactively from the command line).

limits on resource utilization by the process (cat /proc/pid/limits);

the complete map of virtual memory utilization by the process (cat /proc/pid/maps);

the root of the file system accessible to the process (ls -l /proc/pid/root) (see the chroot command);

the process status (cat /proc/pid/status) and kernel wait point
(cat /proc/pid/wchan); most of this information can be teased out of ps.

In addition, information about the hardware and operating system can be obtained by:

"column -t" formats the output of the cat command to make it more readable.

cat /proc/stat (see /usr/doc/linux-3.13/filesystems/proc.txt);

cat /proc/uptime (see /usr/doc/linux-3.13/filesystems/proc.txt);

cat /proc/version (current running kernel version);

cat /sys/bus/usb/devices/device/* (particularly bMaxPower and speed).

You can also find information on your pci devices in /proc/bus/pci/devices, but the lspci command is much more helpful.

Study the proc man page in section 5 for more information.

In general, stay out of /proc/sys - unless you really know what you're doing, it is extremely easy to shoot yourself
in the foot by changing parameters on the running kernel. That said, there are two parameters that I like to change at
startup:

These cause flush to run more frequently, which I find spreads disk i/o out, reducing the times when the system seems
to pause while buffers are being flushed. Your mileage may vary... See /usr/doc/linux-3.13/sysctl/vm.txt for more information.

kill can be used to send signals to processes (see the signal man page in section 7 for the meanings
of the various signals). Many daemons will re-load their configuration files when they receive a
SIGHUP.

EXERCISES for Week 4:

What is the most recent precision computed for ntpd?

What is the fully qualified filename for the parent program of xclock?

What is the program on your system which has used the largest amount of CPU time since it began?